SSH Logon Security
-
@BRRABill Really! Is there anything like 5FA?
-
If you're running FreeIPA/Identity Management you get the OTP functionality out of the box. So both SSH and console logins require the OTP for 2FA.
We use SCAP for hardening rules and it has a decent SSH section. Things like limiting disabling root logins, ciphers, max SSH sessions, timeouts, strict mode checking, privilege separation, encrypted X11, etc.
-
@BRRABill said in SSH Logon Security:
In my thinking all of them provide a great layer of security over a plain password.
Yes. Without a key, the password you type is sent encrypted over the network to the remote machine. With a key it is a challenge response method like with kerberos. The password is never sent over the network.
-
@BRRABill said in SSH Logon Security:
@scottalanmiller said in SSH Logon Security:
You can add IP locks, too. Almost 4FA at that point.
Let's go for 5FA!
You could almost get there with user locking. My jump box only allows a certain user group that doesn't have the sudo or su ability. So if you are coming from the outside the only users that can SSH in have no way to elevate privileges or change users.
-
@dafyre said in SSH Logon Security:
Another good question... Is there an easy way to share a key repository? Say that I have 50 linux machines... do I need to manually put my key on all 50 of them, or is there a way to manage one central set ?
Our Identiry Management stuff holds the public key in LDAP and the users can authenticate against that (if the machine is joined to the domain). Most users are using kerberos but we have a few set up with keys because of applications that run for long times.
Also like Scott said, I'd you have NFS or SAMBA mounted home directories it will just work.
But both of these do away with the one key per machine philosophy.
-
We have some boxes that have no SSH. We use Salt. If we need SSH, we can turn it on and lock it down for the user in question and shut it down when the need is no longer there.
